Home / 0.94
Name Modified Size Downloads / Week Status
Parent folder
Totals: 3 Items   1.7 GB 5
OWASP_Broken_Web_Apps_VM_0.94.zip 2011-07-25 1.1 GB 33 weekly downloads
readme.txt 2011-07-25 4.2 kB 11 weekly downloads
OWASP_Broken_Web_Apps_VM_0.94.7z 2011-07-25 692.9 MB 11 weekly downloads
Release notes for the Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products. More information about the project can be found at http://www.owaspbwa.org/. The VM can be downloaded as a .zip file or as a much smaller .7z 7-zip Archive. BOTH FILES CONTAIN THE EXACT SAME VM! We recommend that you download the .7z archive if possible to save bandwidth (and time). 7-zip is available for Windows, Mac, Linux, and other Operating Systems. !!! This VM has many serious security issues. We strongly recommend that you run it only on the "host only" or "NAT" network in the virtual machine settings !!! Version 0.94 - 2011-07-24 - No changes from 0.94rc3. Version 0.94rc3 - 2011-07-14 - More fixes to hackxor applications (thanks again to Albino Wax). Version 0.94rc2 - 2011-07-13 - Fixes to hackxor applications (thanks to Albino Wax for fixes). Version 0.94rc1 - 2011-07-11 - Added a number of new applications, including Gruyere, Hackxor, WackoPicko, BodgeIt, TikiWiki, Joomla, Gallery2, WebCalendar, AWStats, and ZAP-Wave (thanks to Mike Cyr for lots of work in this area). - New and improved "home" page in the VM (thanks again to Mike Cyr). Version 0.93rc1 - 2011-01-19 - Rebuilt OrangeHRM database to fix login issue (thanks to Dave van Stein for reporting this) - Configured mod_proxy on Apache web server to reverse proxy applications running on Tomcat web server. Disabled direct access to Tomcat server - Installed ModSecurity to 2.5.13 from source (needed by Core Rule Set) - Configured the ModSecurity Core Rule Set. It is disabled by default, but can be enabled through the use of new shell scripts in /usr/local/bin - Adjusted Samba shares to follow symlinks - Removed some miscellaneous old / duplicate files - Attempted to fix phpBB issues, but was unsuccessful. That application is broken for this release and marked as such in the index.html file (thanks to Dave van Stein for reporting this issue) Version 0.92rc2 - 2010-11-15 - Fixed bug with MySQL databases not starting properly (thanks to Tom Neaves for reporting this) Version 0.92rc1 - 2010-11-10 - Developed method for tracking known issues in the applications at http://sourceforge.net/apps/trac/owaspbwa/report/1. - Updated base OS to Ubuntu 10.04 LTS - Updated DVWA to SVN version > 1.07 - Updated Mutillidae to version 1.5 - Updated WebGoat to SVN version > 5.3 - Added and configured three "real" applications suggested by Matt Tesauro: - Added application: GetBoo version 1.04 (http://sourceforge.net/projects/getboo/files/) - Added application: GTD-PHP version 0.7 (http://sourceforge.net/projects/gtd-php/files/) - Added application: OrangeHRM version 2.4.2 (http://www.orangehrm.com/) - Fixed bug in DVWA database permissions that was preventing stored XSS from working (thanks to Owen Wright for reporting this) Version 0.91rc1 - 2010-03-24 - Updated OWASP Vicnum to version 1.4 (http://www.owasp.org/index.php/Category:OWASP_Vicnum_Project) - Added application: Ghost (http://webdevelopmentsolutions.org/) - Added application: Peruggia version 1.2 (http://peruggia.sourceforge.net/) - Added application: OWASP AppSensor Demo (http://www.owasp.org/index.php/Category:OWASP_AppSensor_Project) - Fixed bug where VM would sometimes not get an address from DHCP on boot - Fixed bug where PHP magic quotes were enabled for some applications, preventing SQL Injection - Changed password for some applications to match standard users named 'admin' and 'user' with the password the same as the username - Moved databases, applications that run on Apache web server, some configuration files, and some applications that run on Tomcat web server into SVN with symlinks to the SVN directory in the normal file system. - Fixed bug in where permissions on /var/www/dvwa were not set properly (thanks to Dale Castle for reporting this) Version 0.9 - 2009-11-11 - Initial Release
Source: readme.txt, updated 2011-07-25